On Fri, May 27, 2016 at 01:10:40AM +0000, Simpson Lachlan wrote:
> > With the “allow all” HBAC rule enabled, we have no trouble logging in to any
> > machine via ssh. When we disable the “allow all” rule and make specific per-
> > machine rules (as per the idea of ‘host based’ in HBAC), we get 
> > unpredictable
> > results, primarily resulting in an inability to login via ssh. This result 
> > is intermittent
> > – sometimes we can login, but sometimes we can’t.
> One noted way to "break" the HBAC is a long period of inactivity in that 
> shell.

Typically, this is because of issues in group membership for that user.
Does id report all the groups the user should be a member of?

With recent enough SSSD, the hbac evaluator prints more verbose debug
messages (down to the individual elements of HBAC rules) to see why
exactly the rules didn't match.

There were fixes in the latest 7.2.z IPA update to help fix a problem
with the same AD group being a member of multiple IPA external groups,
maybe that would fix your problem.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to